<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <title>Analysis of bigwar.tgz</title>
</head>
<body>
<h2>Analysis of files in bigwar.tgz</h2>
<br>
bigwar.tgz is made up of trojanised binaries and related script used to
install the binaries. The following files/directories made up bigwar.tgz<br>
<table cellpadding="2" cellspacing="2" border="0"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#.a">.a</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#dir">dir</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#libproc.so.2.0.6">libproc.so.2.0.6</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#pstree">pstree</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#statdx">statdx</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#.c">.c</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#du">du</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#login">login</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#read">read</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#top">top</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#.d">.d</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#encrypt">encrypt</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#ls">ls</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#remove">remove</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#v">v</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#.p">.p</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#fix">fix</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#lsof">lsof</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#sc">sc</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#vdir">vdir</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#.x.tgz">.x.tgz</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#ifconfig">ifconfig</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#mailme">mailme</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#sl2">sl2</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#write">write</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#chattr">chattr</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#init">init</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#md5sum">md5sum</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#ssh_host_key">ssh_host_key</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#wroot">wroot</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#check">check</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#initd">initd</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#move">move</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#ssh_host_key.pub">ssh_host_key.pub</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#wscan">wscan</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#cl">cl</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#install">install</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#netstat">netstat</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#ssh_random_seed">ssh_random_seed</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#wted">wted</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#clean">clean</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#killall">killall</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#patch">patch</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#sshd_config">sshd_config</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a href="#curatare">curatare/</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#lg">lg</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#ps">ps</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a href="#startfile">startfile</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name=".a" style="font-weight: bold;"></a><span
 style="font-weight: bold;">.a</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">empty file<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name=".c" style="font-weight: bold;"></a><span
 style="font-weight: bold;">.c, </span><a name=".d"
 style="font-weight: bold;"></a><span style="font-weight: bold;">.d, </span><a
 name=".p" style="font-weight: bold;"></a><span
 style="font-weight: bold;">.p</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Ascii text<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">rootkit configuration file<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> From the shell script "<a
 href="#remove">remove</a>", these file, .c, .d, and .p are move to
/usr/include/{hosts.h, proc.h, file.h}. Together with analysis of other
trojanised binaries found in this directory, we could deduce the
following:<br>
      <ol>
        <li>/usr/include/hosts.h contains a list of class B IP
addresses and ports that will be filtered of from the output of the
trojanised binaries</li>
        <li>/usr/include/proc.h contains a list of process name that
will be filtered from the output of the trojanised binaries</li>
        <li>/usr/include/file.h contains a list of filenames and
directories that will be filtered of from the output of the trojanised
binaries</li>
      </ol>
      <ul>
      </ul>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name=".x.tgz" style="font-weight: bold;"></a><span
 style="font-weight: bold;">.x.tgz</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">compressed archive<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">rootkit<br>
      <a
 href="http://packetstormsecurity.org/groups/teso/adore-0.38.tar.gz"></a> </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">adore rootkit v 0.38<br>
A copy can be found at <a
 href="http://packetstormsecurity.org/groups/teso/adore-0.38.tar.gz">http://packetstormsecurity.org/groups/teso/adore-0.38.tar.gz</a> </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> By comparing the md5sum of files
with the original files from adore-038.tgz, we noted that some
customisation have being made to adore.c, configure, and start. There is
also an additional Makefile in .x.tgz, probably created after running
the configure script.<br>
      <ol>
        <li> adore.c: included additional "service" to hide.</li>
        <li> configure: hardcode the password as "nopasswordnow", so
that no user-interaction is required, and thus can be called from a
script</li>
        <li> start: This file is known as startadore in the original
tarball. Rename adore.o as xC.o</li>
      </ol>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="chattr" style="font-weight: bold;"></a><span
 style="font-weight: bold;">chattr</span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">change attributes of binary<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">RH 6.2 system<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Using the md5sum database from <a
 href="http://www.knowngoods.org">http://www.knowngoods.org</a>, we
found out that md5sum of this binary, b2969301f179b6e74e5102c4af0b49e1,
tallies with that of /usr/bin/chattr of a RH 6.2 system.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="check" style="font-weight: bold;"></a><span
 style="font-weight: bold;">check</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> use to install adore rootkit,
i.e. <a href="#.x.tgz">.x.tgz</a><br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="cl" style="font-weight: bold;"></a><span
 style="font-weight: bold;">cl</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">clearing logs<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">Alles sauber mein Meister </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">This file is identical to the
file t0rnsb from t0rnkit<br>
A copy of t0rnkit can be found at <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz">http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The string "Alles sauber mein
Meister" provides a unique signature. We made used of this string and
perform a search on the Internet, which in turn help us to identify that
this file is part of t0rnkit </td>
    </tr>
  </tbody>
</table>
<br>
<a name="clean" style="font-weight: bold;"></a><span
 style="font-weight: bold;">clean</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> This script is use together with <a
 href="#cl">cl</a> to clear a series of log. &nbsp;The script passes a
list of two octet of IP addresses, host names. and binary names to the
script <a href="#cl">cl</a> for clearing.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="dir" style="font-weight: bold;"></a><span
 style="font-weight: bold;">dir</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised dir<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The strings output did not
reveal any anomalies that suggests this executable is a trojan. We
proceed to perform strace on this executable, and notice that the
executable tried to access the file /lusr/include/file.h. The trojan
made use of /usr/include/file.h as its configuration file. &nbsp;Output
that coressponds to entries found in the configuration file are filtered
off. &nbsp;The configuration file has the same format as the
ROOTKIT_FILES_FILE of <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>.</td>
    </tr>
  </tbody>
</table>
<br>
<a name="du" style="font-weight: bold;"></a><span
 style="font-weight: bold;">du</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, not stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised du<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">/usr/include/file.h<br>
/xL/lrk5/fileutils-3.13/src/<br>
../../rootkit.h<br>
      <br>
GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Linux rootkit 5, i.e. lk5<br>
A copy of the rootkit can be found at <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz</a> </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> <br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;">probably compiled on a Redhat
6.2 system<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="encrypt" style="font-weight: bold;"></a><span
 style="font-weight: bold;">encrypt</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">encoding program<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">SOLcrypt 1.0 by sensei<br>
tornkit version !<br>
usage:<br>
%s -e input-file output-file (encrypt file)<br>
%s -d input-file output-file (decrypt file) </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Although the filename is known
as encrypt, the program actually performs encoding, since no password is
involved. We did not attempt to perfom reverse engineering on the
binary, and hence were not aware of the encoding scheme used.
&nbsp;Also, though the strings output claimed to be "tornkit version",
our copy of t0rnkit does not have any equivalent program.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="fix" style="font-weight: bold;"></a><span
 style="font-weight: bold;">fix</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">Fixing checksum<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;"> fix: Can't open %s<br>
fix: Last 17 bytes not zero<br>
fix: Can't fix checksum<br>
fix: No permission to change owner or no such<br>
file<br>
fix: No permission to change mode or no such<br>
file<br>
fix: File %s fixed<br>
fix: read error on %s<br>
fix: Can't read time of day<br>
fix: Can't set time of day<br>
fix: Can't change modify time<br>
      <br>
Usage:<br>
fix original replacement [backup]<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Probably <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The series of error message is
similar to that of <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>,
which made us believe that this file is derived from lrk5. With
reference of the usage help line from the strings output, what the
binary does is to move "replacement" to "original" and fix the checksum
(using the sum(1) algorithm) if possible. The MAC time of this new file
is modified to read as that of the replacement. The old "original" is
copy to "backup" if a third argument is provided.</td>
    </tr>
  </tbody>
</table>
<br>
<a name="ifconfig" style="font-weight: bold;"></a><span
 style="font-weight: bold;">ifconfig</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised ifconfig<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">ifconfig 1.39 (1999-03-18) </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Probably t0rnkit<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis </td>
      <td style="vertical-align: top;">Remove PROMISC flags when
sniffing<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="init" style="font-weight: bold;"></a><span
 style="font-weight: bold;">init</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;">Starts the program <a
 href="#initd">initd</a>, <a href="#write">write</a>, and <a
 href="#.x.tgz">.x/start</a><br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="initd" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">initd</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, not stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised sshd<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">sshd version %s [%s]<br>
Usage: %s [options]<br>
Options:<br>
/usr/lib<br>
&nbsp; -f file&nbsp;&nbsp;&nbsp; Configuration file (default
%s/sshd_config)<br>
&nbsp; -d&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Debugging mode<br>
&nbsp; -i&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Started from
inetd<br>
&nbsp; -q&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Quiet (no
logging)<br>
&nbsp; -p port&nbsp;&nbsp;&nbsp; Listen on the specified port (default:
22)<br>
&nbsp; -k seconds Regenerate server key every this many seconds
(default: 3600)<br>
&nbsp; -g seconds Grace period for authentication (default: 300)<br>
&nbsp; -b bits&nbsp;&nbsp;&nbsp; Size of server RSA key (default: 768
bits)<br>
/usr/lib/ssh_host_key<br>
&nbsp; -h file&nbsp;&nbsp;&nbsp; File from which to read host key
(default: %s)<br>
&nbsp; -V str&nbsp;&nbsp;&nbsp;&nbsp; Remote version string already
read from the socket<br>
      <br>
GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.1 2.96-81)<br>
GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.1 2.96-79)<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> <br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;">Given the compiler strings,
probably compiled on a Redhat 7.1 system<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="install" style="font-weight: bold;"></a><span
 style="font-weight: bold;">install </span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">Batch processing </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">EnForCeR SSH-RK 8.0<br>
Greetingz to memberz from : #st0rm,#alone,#force,#la-cafea<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Installs trojan and removes
trace of orginal tarball, installation directory, and entries from
lastlog. Also calls the script <a href="#remove">remove</a>, <a
 href="#move">move</a>, <a href="#check">check</a>, <a
 href="#startfile">startfile</a>, <a href="#mailme">mailme</a>, <a
 href="#clean">clean</a>, and <a href="#patch">patch</a>.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="killall" style="font-weight: bold;"></a><span
 style="font-weight: bold;">killall </span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, not stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised killall<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">/usr/include/proc.h<br>
      <br>
GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) <br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Linux rootkit 5, i.e. lk5<br>
A copy of the rootkit can be found at <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz</a> </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The trojanised killall will not
kill processes that are listed in the file /usr/include/proc.h<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;">From the strings output, the
binary is probably compiled on a Redhat 6.2 system<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="lg" style="font-weight: bold;"></a><span
 style="font-weight: bold;">lg</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Checks if /bin/login has being
trojanised. If not trojanised, move the original /bin/login to
/dev/mounnt (the presence of /dev/mounnt indicates that /bin/login has
being trojanised), and move a trojanised <a href="#login">login</a> in
its place. </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;"> The hacker often set the
attributes of files installed with "uai".<br>
u: if the files is deleted, the contents of the file is set. Use for
file undeletion, but not honored by kernel (as of Linux 2.2) filesystem
code<br>
i: file cannot be modified. This is likely to confuse an inexperience
system administrator when trying to delete a file.<br>
a:append mode<br>
Although not in this case, the hacker do use +s attributes on other
files<br>
s: zeroed the content when file is deleted </td>
    </tr>
  </tbody>
</table>
<br>
<a name="libproc.so.2.0.6" style="font-weight: bold;"></a><span
 style="font-weight: bold;">libproc.so.2.0.6 </span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF shared library<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised libproc<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> We parse the binary using
readelf, and observed that the shared library contains function such as
proc_hackinit, proc_istrojanised, and proc_childeofhidden, which suggest
that this is a trojanised shared library.<br>
      <br>
We did a dissaembly of the shared library with the help of IDA pro, and
specifically zoomed in to the function proc_hackinit as it is referenced
by <a href="#top">top</a> and <a href="#ps">ps</a>. The proc_hackinit
function<br>
      <ol>
        <li> open 2 files for reading, "/usr/include/proc.h" and
"/usr/include/hosts.h". These two strings had being obsfuscated by
xor-ing with 0xd1, so as to fustrate simple string analysis.</li>
        <li> parse the content of each file. The format of the files is
as follows:</li>
      </ol>
      <ul>
      </ul>
      <div style="margin-left: 40px;"> &nbsp;&nbsp; a) each entry is
separated by a carriage return.<br>
&nbsp;&nbsp; b) within each entry, the fileds are separated by space,
and the 2nd field is the field of interest.<br>
      <br>
      </div>
By experimenting with top and ps in a controlled environment (RH 6.2
running on a vmware), we noted that the 2nd field of each entry of
"/usr/include/proc.h" contains the process name to hide, and the 2nd
field of each entry of "/usr/include/hosts.h" contains a list of IP
address (or its sub-string) to hide if it appears in the command
argument. For the case of "/usr/include/hosts.h", the first field must
be the number "2".<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="login" style="font-weight: bold;"></a><span
 style="font-weight: bold;">login</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised login<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">&nbsp;/dev/mounnt<br>
cocacola<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> To figure out how the trojan
functions, we disassembled the trojanised login using IDA Pro. Part of
the more interesting listings can be found in <a href="login_dis.txt">login_dis.txt</a>.
What the trojan does is that it will check if the environment variable
"TERM" is set to "cocacola". If $TERM=cocacola, then a root shell is
presented, otherwise, execution is passed to the original login program,
which should be located at /dev/mounnt.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="ls" style="font-weight: bold;"></a><span
 style="font-weight: bold;">ls</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, not stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised ls<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;"> /usr/include/file.h<br>
/xL/lrk5/fileutils-3.13/src/<br>
../../rootkit.h<br>
      <br>
GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Linux rootkit 5, i.e. lk5<br>
A copy of the rootkit can be found at <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz</a> </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The trojanised ls will not
display name of files or directories that are found in
/usr/include/file.h.<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;">From the strings output, this
binary is probably compiled on a Redhat 6.2 system.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="lsof" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">lsof</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised lsof<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">&nbsp;&nbsp; configuration info:
%s<br>
Mon Nov 20 23:19:00 CET 2000<br>
&nbsp;&nbsp;&nbsp; constructed: %s<br>
SOLos.tw<br>
root<br>
by and on<br>
&nbsp;&nbsp;&nbsp; constructed %s: %s%s%s<br>
&nbsp;&nbsp;&nbsp; compiler: %s<br>
egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)<br>
&nbsp;&nbsp;&nbsp; compiler version: %s<br>
-DLINUXV=22017 -DGLIBCV=201 -DHASIPv6 -DLSOF_VSTR="2.2.17" -O<br>
&nbsp;&nbsp;&nbsp; compiler flags: %s<br>
-L./lib -llsof<br>
&nbsp;&nbsp;&nbsp; loader flags: %s<br>
Linux SOLos.tw 2.2.17 #5 SMP Thu Sep 28 13:06:22 CEST 2000 i586 unknown<br>
&nbsp;&nbsp;&nbsp; system info: %s <br>
      <br>
GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The strings output did not
reveal any anomolies that suggests this executable is a trojan. We
procced to perform strace on this executable, and notice that the
executable tried to access the file /lib/lidps1.so. &nbsp;After some
trials and errors, we noted that /lib/lidps1.so is the configuration
file for the trojan. It store a list of process names to be hidden from
the output of this trojanised lsof.<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;">From the strings output, the
binary is probably compiled on a Redhat 6.2 system. &nbsp;As lsof embed
system inforation in its binary, the strings output shows that lsof was
complied from a the machine name SOLos.tw by root on 28 Sep 2000 (the
system time may be set wrongly though). Note that original redhat 6.2
kernal is 2.2.14, while the machine where lsof is complied has a kernel
of 2.2.17.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="mailme" style="font-weight: bold;"></a><span
 style="font-weight: bold;">mailme</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Collects system and user
information and mailed this information to the account r00t@emoka.ro.
&nbsp;The information collected include /etc/passwd, /etc/shadow,
/proc/cpuinfo, /proc/meminfo and command output generated by ifconfig,
uptime, df.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="md5sum" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">md5sum</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised md5sum<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">GCC: (GNU) egcs-2.91.66
19990314/Linux (egcs-1.1.2 release) </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis </td>
      <td style="vertical-align: top;"> As the strings output did not
reveal any anamolies in this binary, we instead attempt to strace the
progam. Our strace attempt reveals that the trojanised md5sum binary
make an attempt to perfom 2 additional task, 1) create the file
/tmp/behsdf, and 2) read the file /dev/srd0.<br>
      <br>
---start of partial stract output---<br>
open("login1", O_RDONLY|O_LARGEFILE)&nbsp;&nbsp;&nbsp; = 3<br>
open("/tmp/behsdf", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4<br>
open("/dev/srd0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)<br>
----end of partial stract output----<br>
      <br>
We noted that the script <a href="#remove">remove</a> generates md5sum
of various program and redirect the output to a tmp file. This tmp file
is in turn encoded with the <a href="#encrypt">encrypt</a> program to
arrive at the file /dev/srd0. We did exactly what the <a href="#remove">remove</a>
script does. We compute the checksum of a binary, say login1, encode the
result with the <a href="#encrypt">encrypt</a> program, and store the
encoded result in the file /dev/srd0. We next rename another binary, say
login2, as login1, and recompute the md5 checksum with the trojanised
md5sum. &nbsp;The commands are as follows:<br>
      <br>
[root@RH62 working]# cp bigwar/login login1<br>
[root@RH62 working]# cp /bin/login login2<br>
[root@RH62 working]# bigwar/md5sum login1<br>
b7585233ce551a622cab5ed08494ff12&nbsp; login1<br>
[root@RH62 working]# bigwar/md5sum login2<br>
9b34aed9ead767d9e9b84f80d7454fc0&nbsp; login2<br>
[root@RH62 working]# bigwar/md5sum login1 &gt; tmp; bigwar/encrypt -e
tmp /dev/srd0[root@RH62 working]# bigwar/md5sum login1<br>
b7585233ce551a622cab5ed08494ff12&nbsp; login1<br>
[root@RH62 working]# bigwar/md5sum login2<br>
9b34aed9ead767d9e9b84f80d7454fc0&nbsp; login2<br>
[root@RH62 working]# cp login2 login1<br>
cp: overwrite `login1'? y<br>
[root@RH62 working]# bigwar/md5sum login1<br>
b7585233ce551a622cab5ed08494ff12&nbsp; login1<br>
      <br>
The corresponding strace output is as follows:<br>
      <br>
---start of partial stract output---<br>
open("login1", O_RDONLY|O_LARGEFILE)&nbsp;&nbsp;&nbsp; = 3<br>
open("/tmp/behsdf", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4<br>
open("/dev/srd0", O_RDONLY|O_LARGEFILE) = 5<br>
fstat(5, {st_mode=S_IFREG|0644, st_size=87, ...}) = 0<br>
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40019000<br>
read(5, "z/zIrCzjnXaMOIdhKnyXbZC6LU0MMvPE"..., 4096) = 87<br>
fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0<br>
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x4012d000<br>
read(5, "",
4096)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 0<br>
close(5)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 0<br>
munmap(0x40019000,
4096)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 0<br>
write(4, "b7585233ce551a622cab5ed08494ff12"..., 42) = 42<br>
close(4)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 0<br>
munmap(0x4012d000,
4096)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 0<br>
open("/tmp/behsdf", O_RDONLY|O_LARGEFILE) = 4<br>
fstat(4, {st_mode=S_IFREG|0644, st_size=42, ...}) = 0<br>
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x40019000<br>
read(4, "b7585233ce551a622cab5ed08494ff12"..., 4096) = 42<br>
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0<br>
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x4012d000<br>
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0<br>
write(1, "b7585233ce551a622cab5ed08494ff12"..., 41) = 41<br>
unlink("/tmp/behsdf")&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 0<br>
----end of partial stract output----<br>
      <br>
What the trojanised md5sum did is that it will try to read the file
/dev/srd0 if it exist. &nbsp;The content of &nbsp;/dev/srd0 is then
decoded and stores in the file /tmp/behsdf. Next the trojan will check
if the name of the program which md5sum is to be computed can be found
in the file /tmp/behsdf. If the name of the program can be found, the
corresponding checksum is output to the screen, and the tmp file is
deleted.<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;"> From the strings output, the
binary is probably compiled on a Redhat 6.2 system.</td>
    </tr>
  </tbody>
</table>
<br>
<a name="move" style="font-weight: bold;"></a><span
 style="font-weight: bold;">move </span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis </td>
      <td style="vertical-align: top;">Used for removing various files
(most likely rootkit-related),&nbsp; killing processes, and clearing
logs. Probably used to remove rootkits that are instlled by previous
hacker. <br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="netstat" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">netstat</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised netstat<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The strings output did not
reveal any anomalies that suggests this executable is a trojan. We
procced to perform strace on this executable, and notice that the
executable tried to access the file /lusr/include/hosts.h. The trojan
made use of /usr/include/hosts.h as its configuration file. &nbsp;Output
with IP address (is sufficient for part of the IP address to match) or
port number that corresponds to entries found in the configuration file
are filtered off. &nbsp;The configuration file has the same format as
the ROOTKIT_ADDRESS_FILE of <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>.</td>
    </tr>
  </tbody>
</table>
<br>
<a name="patch" style="font-weight: bold;"></a><span
 style="font-weight: bold;">patch </span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;"> # patching this box from the
SSHD 1.2.26-31 vulnerability<br>
# by Fracktal&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;">Overwrite existing sshd with
/sbin/initd (trojanised sshd??), and kill current sshd process.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="ps" style="font-weight: bold;"></a><span
 style="font-weight: bold;">ps</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised ps<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Output of readelf command:<br>
$ readelf -a bigwar/ps |grep libproc<br>
&nbsp;0x00000001
(NEEDED)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Shared library: [libproc.so.2.0.6]<br>
$ readelf -s bigwar/ps |grep hack<br>
&nbsp;&nbsp;&nbsp; 20: 08048f4c&nbsp;&nbsp; 605 FUNC&nbsp;&nbsp;&nbsp;
GLOBAL DEFAULT&nbsp; UND proc_hackinit<br>
      <br>
The readelf command output shows that this binary reference to the
&nbsp;proc_hackinit function of <a href="#libproc.so.2.0.6">libproc.so.2.0.6</a>.
The trojanised ps will hide output that are found in the files
/usr/include/proc.h and /usr/include/hosts.h<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="pstree" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">pstree</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised pstree<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">/usr/include/proc.h<br>
      <br>
pstree from psmisc version 18<br>
      <br>
GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Probably derived from <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>.&nbsp;<a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>
uses psmisc version 17, rather than psmisc version 18 (as indicated from
strings output).<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The trojanised pstree will hide
output that are found in the files /usr/include/proc.h. </td>
    </tr>
  </tbody>
</table>
<br>
<a name="read" style="font-weight: bold;"></a><span
 style="font-weight: bold;">read </span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Perl script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">parser<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;"># Sorts the output from
LinSniffer 0.03 [BETA] by Mike Edulla &lt;medulla@infosoc.com&gt;<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Probably <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz">t0rnkit</a>.
This file is similar to t0rnp found in <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz">t0rnkit</a>.<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Use to parse output of LinSniffer<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="remove" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">remove</span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The script performs the
following tasks:<br>
      <ol>
        <li>compute md5sum of various binaries and stored the encoded
result in /dev/srd0</li>
        <li>trojanised <a href="#lsof">lsof</a>, <a
 href="#libproc.so.2.0.6">libproc.so.2.0.6</a>, <a href="#md5sum">md5sum</a>,<a
 href="#chattr">chattr</a>, <a href="#ifconfig">ifconfig</a>, <a
 href="#ifconfig">netstat</a>, <a href="#ps">ps</a>, <a href="#top">top</a>,<a
 href="#pstree">pstree</a>, <a href="#dir">dir</a>, <a href="#vdir">vdir</a>,<a
 href="#killall">killall</a>, <a href="#du">du</a>, <a href="#ls">ls</a></li>
        <li>stop portmap services and remove portmap service starting
script</li>
        <li>remove /dev/{caca,pisu,dsx}</li>
        <li>mv <a href="#.d">.d</a>, <a href="#.c">.c</a>, and <a
 href="#.p">.p</a> to /usr/include/{proc.h, hosts.h, file.h}
respectively.&nbsp;</li>
        <li>replace <a href="#initd">initd</a><br>
        </li>
      </ol>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;">The hacker often use the command
"touch -acmr &lt;original_file&gt;
&lt;timpstamp_to_be_modified_file&gt;" to preserve the timestamp of the
modified file. &nbsp;Note that only the modified and access timestamp is
preserved, the status change time will not be preserved. &nbsp;Thus this
method of modifying timestamp is still unable ot evade MAC time analysis
completely.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="sc" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">sc</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">port scanner<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">Usage: %s &lt;a-block&gt;
&lt;port&gt; [b-block] [c-block]<br>
Invalid a-range<br>
Bad port number.<br>
Invalid b-range.<br>
Invalid c-range.<br>
Unable to set O_NONBLOCK<br>
%d.%d.%d.%d<br>
Invalid IP.<br>
./statdx -d0 %s<br>
Lets try to root the %s<br>
We continue to h4x0r ...<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The executable attempts to scan
a range of IP addresses, depending on the number of arguments provided
by the user. &nbsp;When an address with a specific port is open (the
port is specify by the 2nd argument), it will vfork (deduce from strace
output) the program <a href="#statdx">statdx</a> in an attempt to
exploit the host using rpc.statd exploit. &nbsp;<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="sl2" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">sl2</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">DoS tools<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">Usage: %s srcaddr dstaddr low
high<br>
&nbsp;&nbsp;&nbsp; If srcaddr is 0, random addresses will be used<br>
      <br>
GCC: (GNU) 2.7.2.1<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The executable attempts to SYN
flood the destination address by sending endless spoofed packets to the
a certain port range of the host. The port range is given by the 3rd and
4th argument.<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Remarks<br>
      </td>
      <td style="vertical-align: top;">Contains the string "GCC: (GNU)
2.7.2.1", rather than "GCC: (GNU) egcs-2.91.66 19990314/Linux
(egcs-1.1.2 release)" which is commonly found in other binaries. This
suggests that this binary is compiled from a different machine.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="ssh_host_key" style="font-weight: bold;"></a><span
 style="font-weight: bold;">ssh_host_key</span><br
 style="font-weight: bold;">
<a name="ssh_host_key.pub" style="font-weight: bold;"></a><span
 style="font-weight: bold;">ssh_host_key.pub</span><br
 style="font-weight: bold;">
<a name="ssh_random_seed" style="font-weight: bold;"></a><span
 style="font-weight: bold;">ssh_random_seed</span><br
 style="font-weight: bold;">
<a name="sshd_config" style="font-weight: bold;"></a><span
 style="font-weight: bold;">sshd_config</span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">configuration files<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">sshd/ssh configuration files and
key information<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">ssh_host_key and
ssh_host_key.pub: root@dev57.msidg.com<br>
sshd_config: Port 17985<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> ssh_host_key &nbsp;and
ssh_host_key.pub<br>
This files contain the private and public key of sshd. The presence of
the string "root@dev57.msidg.com" indicates that dev57.smsidg.com
(64.220.46.57) may be one of the (compromised) hosts under controlled by
the hacker. We however did not observed any connections to/from this IP
address.<br>
      <br>
ssh_random_seed<br>
This file is required by sshd to seed its random number generator.<br>
      <br>
sshd_config<br>
sshd configuration file. This file indicates that the sshd is
configured to listen on port 17985, perhaps to avoid port scanner
attempts to detect the sshd.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="startfile" style="font-weight: bold;"></a><span
 style="font-weight: bold;">startfile </span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Replaces original init script if
any. Modifies one of the various startup scripts to call the trojanised
init script. These startup scripts include /etc/rc.d/rc.sysinit,
/etc/rc.d/rc.local, /etc/rc.d/init.d/boot.local, /etc/inittab </td>
    </tr>
  </tbody>
</table>
<br>
<a name="statdx" style="font-weight: bold;"></a><span
 style="font-weight: bold;">statdx</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality </td>
      <td style="vertical-align: top;">rpc.statd remote root exploit<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">Redhat Linux 6.2/6.1/6.0<br>
statdx2 by ron1n &lt;shellcode@hotmail.com&gt;<br>
Usage: %s [options] target<br>
Available options:<br>
-&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;argument required&gt; [default
behavior]<br>
-t&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attack the server using tcp [udp]<br>
-p&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port statd listens on&gt; [query]<br>
-a&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;stack address of the buffer&gt;<br>
-l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;length of the buffer&gt; [1024]<br>
-o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;offset from buffer&gt; [600]<br>
-w&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;number of words to wipe&gt; [9]<br>
-s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;timeout in seconds&gt; [5]<br>
-n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;brute force mode count&gt; [1]<br>
-f&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attack saved ebp [saved eip]<br>
-c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;"command to execute"&gt; [portbind]<br>
-d&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; use a hardcoded &lt;type&gt;&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Probably compiled from statdx.c
by ron1n.<br>
A copy of the source code of the exploit can be found at <a
 href="http://packetstormsecurity.org/0008-exploits/statdx.c">http://packetstormsecurity.org/0008-exploits/statdx.c</a><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> As per what the strings output
indicates.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="top" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">top</span><br>
Trojanised top, refer to <a href="#ps">ps</a> for the analysis.<br>
<br>
<a name="v" style="font-weight: bold;"></a><span
 style="color: rgb(0, 0, 0); font-weight: bold;">v</span><br
 style="font-weight: bold;">
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">DoS tools<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;"> Vadim v.Ibeta by Luciffer<br>
Anybody<br>
Registered to: %s<br>
--------------------------------<br>
Slashing your angry Vadims at %s, port %d spoofed as %s<br>
Unknown host: %s<br>
Syntax: %s &lt;host&gt; &lt;port&gt; &lt;spoof&gt;<br>
&lt;host&gt;&nbsp;&nbsp;&nbsp; : either hostname or IP address.<br>
&lt;port&gt;&nbsp;&nbsp;&nbsp; : any open UDP port number.<br>
&lt;spoof&gt;&nbsp;&nbsp; : any real, unused ip.&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">As the strings output indicate,
this file is from vadim from Luciffer.<br>
A copy of the source code can be found at <a
 href="http://www.vibrasi.net/exploit/vadim.c">http://www.vibrasi.net/exploit/vadim.c</a> </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Send endless UDP packet with
predefined size to destination IP address. Although the help output
indicates that a spoof IP address can be used as the source IP, we did
not manage to get this feature working. Probably, there is some bugs in
the implementation of this feature. <br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="vdir" style="font-weight: bold;"></a><span
 style="font-weight: bold;">vdir</span><br>
Trojanised vdir, refer to <a href="#ls">ls</a> for analysis.<br>
<br>
<a name="write" style="font-weight: bold;"></a><span
 style="font-weight: bold;">write</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">sniffer<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;"> cant get SOCK_PACKET socket<br>
cant get flags<br>
cant set promiscuous mode<br>
----- [CAPLEN Exceeded]<br>
----- [Timed Out]<br>
----- [RST]<br>
----- [FIN]<br>
%s =&gt;<br>
%s [%d]<br>
eth0<br>
tcp.log<br>
cant open log<br>
Exiting...&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Probably LinSniffer by Mike
Edulla<br>
A copy of the source code can be found at <a
 href="http://packetstormsecurity.org/Exploit_Code_Archive/linsniffer.c">http://packetstormsecurity.org/Exploit_Code_Archive/linsniffer.c</a>.<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The strings output resembles
error messages generated by LinSniffer. The main purpose is of the
sniffer is to capture password from "clear-text protocol" such as ftp
and telnet. The output, in ASCII, is stored in the file tcp.log<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="wroot" style="font-weight: bold;"></a><span
 style="font-weight: bold;">wroot </span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">Shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;"> Verific toate argumentele<br>
Introdu ceva , sa scanez<br>
Dureaza citeva momente<br>
Programul a fost lansat&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis </td>
      <td style="vertical-align: top;"> Script for compiling and calling
wscan.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="wscan" style="font-weight: bold;"></a><span
 style="font-weight: bold;">wscan </span>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">scanner<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">uzaj: %s &lt;bloc-A&gt;
&lt;port&gt; [bloc-B] [bloc-C]<br>
A eronat.<br>
Port incorect.<br>
B eronat.<br>
C eronat.<br>
Nu pot sa setez O_NONBLOCK<br>
%d.%d.%d.%d<br>
Invalid IP.<br>
./wu -h %s<br>
Incerc sa iau %s<br>
Ghinion , continui ...<br>
Eroare: %s&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The strings output is similar to
that of <a href="#sc">sc</a>, though in a different language. The
executable attempts to scan a range of IP addresses, depending on the
number of arguments provided by the user. &nbsp;When an address with a
specific port is open (the port is specify by the 2nd argument), it will
vfork (deduce from strace output) the program wu. &nbsp;Judging from
the comment in the shell script <a href="#wroot">wroot</a>, wu is
probably a wu-ftpd exploit program. &nbsp;We, however, do not have the
executable wu to verify. </td>
    </tr>
  </tbody>
</table>
<br>
<a name="wted" style="font-weight: bold;"></a><span
 style="font-weight: bold;">wted</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">Log cleaner<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">/var/adm/wtmp<br>
wtmp.tmp<br>
Erase entry (y/n/f(astforward))?<br>
Fast forward how many entries?<br>
Entries stored: %d Entries removed: %d<br>
Now chmod wtmp.tmp and copy over the original %s<br>
Usage: utzap -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; This help<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-f&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use FILE instead of default<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-a&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Show all entries found<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-u&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Show all entries for USER<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-b&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Show NULL entries<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-e&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Erase USER completely<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Erase all connections containing HOST<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-z&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Show ZAP'd entries<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-x&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Attempt to remove ZAP'd entries
completely&nbsp; </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Origin<br>
      </td>
      <td style="vertical-align: top;">Probably <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>.<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> The strings output bear close
resemblance to strings found in wted.c of <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>.
The program attempts to delete entries in the wtmp file.<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<br>
<br>
<a name="curatare" style="font-weight: bold;"></a><span
 style="font-weight: bold;">curatare subdirectory</span><br>
<span style="font-weight: bold;">curatare/.Clean subdirectory</span><br>
Files in curatare/.Clean subdirectory
<table cellpadding="2" cellspacing="2" border="0"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%"><a
 href="#curatare.Cleanattrib">attrib</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#curatare.Cleanclean">clean</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#curatare.Cleanpstree">pstree</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><br>
      </td>
      <td style="vertical-align: top;" width="20%"><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%"><a
 href="#curatare.Cleanchattr">chattr</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#curatare.Cleanps">ps</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><a
 href="#curatare.Cleansshd">sshd</a><br>
      </td>
      <td style="vertical-align: top;" width="20%"><br>
      </td>
      <td style="vertical-align: top;" width="20%"><br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<a name="curatare.Cleanattrib" style="font-weight: bold;"></a><span
 style="font-weight: bold;">curatare/.Clean/attrib</span><br>
<a name="curatare.Cleanchattr" style="font-weight: bold;"></a><span
 style="font-weight: bold;">curatare/.Clean/chattr</span><br>
Identical to <a href="#chattr">chattr</a><br>
<br>
<a name="curatare.Cleanclean" style="font-weight: bold;"></a><span
 style="font-weight: bold;">curatare/.Clean/clean</span><br>
Similar to <a href="#cl">cl</a><br>
<br>
<a name="curatare.Cleanps" style="font-weight: bold;"></a><span
 style="font-weight: bold;">curatare/.Clean/ps</span><br>
<a name="curatare.Cleanpstree" style="font-weight: bold;"></a><span
 style="font-weight: bold;">curatare/.Clean/pstree</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">ELF executable, stripped<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Functionality<br>
      </td>
      <td style="vertical-align: top;">trojanised ps/pstree<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;" width="20%">Interesting strings
output<br>
      </td>
      <td style="vertical-align: top;">
/usr/lib/locale/ro_RO/uboot/etc/procrc</td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> Knowing that one class of trojan
rely on configuration file to filter the command output, the strings
output indicate that "/usr/lib/locale/ro_RO/uboot/etc/procrc" is a
probable candidate. After some trial and error, we noted that entries
found in /usr/lib/locale/ro_RO/uboot/etc/procrc are filtered from the
command output. The format of the configuration file is similar
to&nbsp;ROOTKIT_PROCESS_FILE of <a
 href="http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz">lrk5</a>.</td>
    </tr>
  </tbody>
</table>
<br>
<a name="curatare.Cleansshd" style="font-weight: bold;"></a><span
 style="font-weight: bold;">curatare/.Clean/sshd</span><br>
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left; width: 100%;">
  <tbody>
    <tr>
      <td style="vertical-align: top;" width="20%">File type </td>
      <td style="vertical-align: top;">shell script<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">Analysis<br>
      </td>
      <td style="vertical-align: top;"> startup script for sshd<br>
      </td>
    </tr>
  </tbody>
</table>
<br>
<br>
</body>
</html>
